A fully qualified URL for specifying the protocol, url and port to
connect to. It is useful for specifying ldaps://. Takes precedence
over "host" and "port" options. Only works
if PHP has been compiled against OpenLDAP 2+ libraries.

"version"

integer

2

LDAP version to use, usually 2 (default) or 3, must be an integer!

"referrals"

boolean

TRUE

If set, determines whether the LDAP library automatically follows
referrals returned by LDAP servers or not.

"binddn"

string

"

If set, searching for user will be done after binding as this user,
if not set the bind will be anonymous. This is reported to make the
container work with MS Active Directory, but should work with any
server that is configured this way. This has to be a complete dn for
now (basedn and userdn will not be appended).

"bindpw"

string

"

The password to use for binding with binddn.

"basedn"

string

"

The base DN of your server.

"userdn"

string

"

Gets prepended to basedn when searching for users.

"userscope"

string

"sub"

Scope for user searching: one, sub (default), or base.

"userattr"

string

"uid"

Defines the attribute to search for.

"userfilter"

string

"(objectClass=posixAccount)"

Filter that will be added to the search filter this way:
(&(userattr=username)(userfilter)).

"attributes"

array

array('')

Array of additional attributes to fetch from entry. These will added
to auth data and can be retrieved via
Auth::getAuthData(). An empty array will fetch all attributes, array('') will
fetch no attributes at all (default). If you add 'dn' as a value to
this array, the user's DN that was used for binding will be added to
auth data as well.

"attrformat"

string

"AUTH"

The returned format of the additional data defined in the 'attributes'
option. Two formats are available.

LDAP returns data formatted in a multidimensional array where each
array starts with a 'count' element providing the number of attributes
in the entry, or the number of values for attributes. When set to this
format, the only way to retrieve data from the
Auth object is by calling
getAuthData('attributes'). This was the default
format before version 1.3.0.

AUTH returns data formatted in a structure more compliant with other
Auth Containers, where each attribute element can be directly called
by getAuthData() method from
Auth. This became the default as of 1.3.0.

"groupdn"

string

"

Gets prepended to basedn when searching for group.

"groupattr"

string

"cn"

The group attribute to search for.

"groupfilter"

string

"(objectClass=groupOfUniqueNames)"

Filter that will be added to the search filter when searching for a
group: (&(groupattr=group)(memberattr=username)(groupfilter)).

"memberattr"

string

"uniqueMember"

The attribute of the group object where the user dn may be found.

"memberisdn"

boolean

TRUE

Whether the memberattr is the dn of the user (default) or the value of
userattr (usually uid).

"group"

string

"

The name of the group users have to be a member of to authenticate
successfully.

"groupscope"

string

"sub"

Scope for group searching: one, sub (default), or base.

"start_tls"

boolean

"false"

Enable/disable the use of START_TLS encrypted connection.

"try_all"

boolean

FALSE

If multiple entries are returned by the search attempt to authenticate
against each entry in order or just the first one (default).

When talking to a Microsoft ActiveDirectory server you have to use
'samaccountname' as the 'userattr' and follow special rules to translate
the ActiveDirectory directory names into 'basedn'. The 'basedn' for the
default 'Users' folder on an ActiveDirectory server for the ActiveDirectory
Domain (which is not related to its DNS name) "win2000.example.org" would
be: "CN=Users, DC=win2000, DC=example, DC=org" where every component of the
domain name becomes a DC attribute of its own. If you want to use a custom
users folder you have to replace "CN=Users" with a sequence of "OU"
attributes that specify the path to your custom folder in reverse order. So
the ActiveDirectory folder "win2000.example.org\Custom\Accounts" would
become "OU=Accounts, OU=Custom, DC=win2000, DC=example, DC=org"

It seems that binding anonymously to an Active Directory is not allowed, so
you have to set binddn and bindpw for user searching.

LDAP Referrals need to be set to false for AD to work sometimes.

Note also that if you want an encrypted connection to an MS LDAP server,
then, on your webserver, you must specify "TLS_REQCERT never"
in /etc/ldap/ldap.conf or in the webserver user's ~/.ldaprc (which may or
may not be read depending on your configuration).